SECURITY TIP: Preview Shortened URLs

URL-shortening services like TinyURL and Bitly are handy for a variety of reasons, but shortened URLs also represent a ubiquitous and very dangerous security vulnerability. You must use your head and technology to avoid becoming a victim of malware, phishers, and hackers when clicking on shortened URLs. Here's what you need to know...

Shortened URLs?

No, it's not the name of a new TV show, and it has nothing to do with diminutive British aristocrats. Shortened URLs are simply website addresses that have been given a shorter alternative, to make them easier to type, share and manage.

Those blessedly short but cryptic URLs that redirect a clicker to an appallingly long URL are ubiquitous these days. Here's an example. I love Amazon.com, but they're one of the worst when it comes to really long URLs. The URL on Amazon's home page for the Kindle Fire 7" Tablet is shown in the image here.

Wow, that's over 180 characters, and a confusing mess when viewed by humans. It's impossible to share in that form on Twitter, which limits you to 140 characters; and if you paste that link into an email, chances are good it will get garbled. But a shortened version (http://goo.gl/6SQd72) which takes you to the same web page, is much easier to manage (and easier on the eye as well).

Even mainstream news media has gotten the clue; the Associated Press, hardly a bleeding-edge innovator, embeds shortened URL links to its original sources (sometimes, if it’s received copyright violation notices from the source). Many news organizations use shortened URLs, as well. In addition to the convenience of having a shorter URL, URL shortening services keep stats on how many times a link was clicked, so publishers can get insight into outbound clicks.

Many URL-shortening services exist and there are many browser add-ons to make using them a breeze. TinyURL is one of the oldest. Bit.ly is now the largest in terms of URLs shortened daily. Want to use Google’s goo.gl URL-shortener? Use this shortened URL to get the handy and powerful Chrome extension right here: bit.ly/UW97lu

The Problem With Shortened URLs

If you just clicked that link, the problem is demonstrated. You cannot tell what a shortened URL will do just by looking at it, as you can with many regular URLs. (The same is true of QR codes, by the way). You might end up downloading an invisible payload of malware; opening a remote-access link to your hard drive; looking at things you don’t want in your work computer’s browsing history, let alone your own memory; or meeting a nice young Nigerian prince who needs your help moving $50 million out of the country.

Another potential problem is that the page to which a shortened URL redirects can be changed. This can be good or bad. If there is a problem with the destination page, you just change the redirect to an alternate URL. But what if a hacker guessed the password to an AP reporter's Bitly account, and changed all his links to malware drive-by downloads?

How to Preview a Shortened Link

If only you could preview the full URL to which a shortened URL will redirect you without actually being redirected; then you could decide if it’s wise to proceed. All of the major URL-shorteners provide this obvious security precaution; here is how to do it:

Goo.gl and bit.ly – simply append a “+” (plus) symbol to the end of the shortened URL in your browser’s address bar and press Enter.

Is.gd – lets you append a “-“ (minus) symbol to the shortened URL in its effort to woo ironic, contrarian hipsters.

TinyURL – add the prefix “preview.” (with the dot) to the beginning of the shortened URL, e. g. preview.tinyurl.com/aSefG2o5. Sigh; TinyURL was once a brilliant innovation.

Some URL shortening services do not support previewing. I would eschew such security slobs, but if you must check out such a URL you can paste it into ExpandMyURL or LongURL for a safe preview. If you use QR codes on your smartphone, note that some of these solutions work for them, too.

Most recent comments on "SECURITY TIP: Preview Shortened URLs"

Posted by:
olamoree
15 Nov 2013

"LongURLPlease" add-on for Firefox returns an "Over Quota" designation. Is this a testimony to its need and popularity or it is a scheme by "those in the know" to discourage me from being able to quickly identify possible "stray-ware"?

EDITOR'S NOTE: No, I'm sure it's just a hosting issue.

Posted by:
LOUIS L
15 Nov 2013

YOUR NOTE ABOUT INTERNET EXPLORER, GAVE ME A GOOD LOUGH. COULD USE IT, STUCK IN A HOSPITAL BED.

SINCERELY
LOUIS

Posted by:
Bonnie
15 Nov 2013

How do I determine whether a link is shortened?

Posted by:
Rick
15 Nov 2013

Used goo.gl in my monthly newsletter. In the second month google decided they must be spam because of the mass distribution and none of the links would work for readers. I could not contact a human at google to discuss their arbitrary judgement. Have since used free jot.my for two years which also does an excellent job of maintaining monthly stats (unlike tinyurl). Cheers

Posted by:
BevAnn
15 Nov 2013

As always, much appreciated.

Posted by:
DBAsteve
15 Nov 2013

I just don't click on shortened URLs. Their loss, not mine. It ain't safe, And I can't remember + or - or preveiw. screw 'em.

Posted by:
john
16 Nov 2013

You lost me at AskBob,however it all sounds helpful to those who know what you are talking about. Sadly for me......Best regards. john.

Posted by:
Unitary
16 Nov 2013

An excellent security advice!

Checking a shortened URLs before clicking on it is worth the small nuisance of copying and pasting it either into the address bar (with +/-/preview.) or on the homepage of ExpandMyURL.com, LongURL.org, etc.

Posted by:
Paul
16 Nov 2013

You can avoid using shortners. see the ? in URL example for Amazon-- delete it and everything thereafter. result takes you to same page without the added material.

EDITOR'S NOTE: Still 68 characters! :-)

Posted by:
Saboma
17 Nov 2013

Hey Bob, thanks for this post. I had wondered if there was help in this shortened url biz. Moreover, about the website issue I can only conclude that has to be a server problem because when I checked the link, I found that it is still 'Over Quota' a day later. Today is 11/16/13. So I did a search and located the Firefox addon here:

https://addons.mozilla.org/en-US/firefox/addon/long-url-please/

and even picked up the bookmarklet here:

http://marklets.com/Long%20URL%20Please.aspx

There is an addon for Chrome users also.

Posted by:
Joe S.
17 Nov 2013

Another quick check is that sometimes just hovering over the URL w/your cursor will let you see the longer URL. It fades quickly, so you may have to retry several times to "take it all in."

Posted by:
Erik S
17 Nov 2013

I have always felt that the perfect solution to all this is simply to… make a short URL from the get-go — one moreover, where a reader could easily guess himself forward to just about any article online by trying to type inside the letters of the URL. (Newspapers are bad — or good?! — at these behemoths, often including an entire (lengthy) title in the multiline URL.)

Simply make a policy of, say, adding the date (in reverse form (YMD), to increase the benefit of keeping all URLs in perfect chronological order) and page to the website name — for instance, www.papernamehere.com/20131124p06d for the fourth article (D) on page (0) 6 of the November 24, 2013, issue of the respective periodical…

Alternatively, short letters for the section (i or int for international, t or tr for travel, etc…) could be added somewhere (before the p for page number?), if so desired, but again, nothing major…

To find the second article of page 5 of the issue the day before (or a week, or a year, before), you would simply change a couple of letters and numbers.

Non-periodical websites could benefit from the same rules — for instance www.amazon.com/johnsmith16t07 for the seventh book title (T) of the 16th author named John Smith at Amazon; and www.amazon.com/johnsmith16t04i03.jpg for the third image (i for image) related to John Smith's fourth book…

Posted by:
Mike Reese
17 Nov 2013

Why do urls have to be so complicated? And while I get the ability to see the long form url, how do I know whether it's toxic or not just by looking at it?

Posted by:
Kenny
18 Nov 2013

I don't know one URL from another. I just trust Bitdefender IS and Norton DNS to keep me from going to any unsafe locations. So far so good.

Posted by:
MmeMoxie
20 Nov 2013

Bob ... You have got me, on the search, again. :)

In checking out the add-ons/extensions/applications LinkPeelR for Chrome, I ran across Magic Actions for YouTube. Boy, this Add-On, opened up some really neat add-ons/extensions for Chrome. All of these are free, so, I am "trial-testing" them and will let you know.

By installing Magic Actions for YouTube, I was giving the opportunity to "install" Click&Clean, again a free program. From there, I looked into History Eraser, both from the same developer. I installed both the extension and app, for my Chrome Browser, which is free, also.

For those who care to check this extensions/apps for Chrome, here is the website's URLs.

http://www.chromeactions.com/

http://www.hotcleaner.com/

I worry the most, about Chrome. It doesn't have a lot of security built into it's code, so, I want to have extensions or applications, that will help protect me, while I am browsing with Chrome. Right now, I have been using Chrome, more often than Firefox. I really hate that Firefox has totally disabled "Java". I have gone to so many websites, that have been "disabled" by Firefox.

How dare Firefox, think it knows what is best for me. This is as bad, as government intrusion, telling you what is good for you, as well as what is bad and then, not allowing you to make your own decisions!!! So, for now, I am mainly using Chrome for my browser.

Posted by:
Ken A
28 Apr 2014

I NEVER click on a link that I am not sure of the source that sent it to me. My AV/Malware also reports if a site is suspicious. If it is, I just don't go there. Curiosity killed the Cat already.

Just a bit gun-shy now.

My $0.02 CDN

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.